Messages

1

22.1 Legacy Series / Re: openssl vulnerabilities CVE-2022-0778 -> needed version 1.1.1.n

« on: March 16, 2022, 09:45:24 pm »

...switch to LibreSSL (as long as it's still there) ;-)

LibreSSL ist affected by the same bug.

2

22.1 Legacy Series / Warnings while updating to 22.1.1_1 from 22.1

« on: February 17, 2022, 10:33:56 pm »

I installed the update from the Web UI and got some messages but the update rebooted to fast.
When I do a health check, I get this missing dependencies. What should it do?
>>> Check for missing package dependencies
Checking all packages: .......... done
py37-markupsafe has a missing dependency: python37
py37-markupsafe has a missing dependency: py37-setuptools
py37-markupsafe is missing a required shared library: libpython3.7m.so.1.0

3

21.7 Legacy Series / Re: LDAPS not working anymore with 21.7.4

« on: November 11, 2021, 03:23:02 pm »

I don't really understand one thing.
Our servers only deliver the server certificate, no intermediate certificates. But in OPNsense we have the root, intermediate and server certificates imported. So what you say is that it should have worked already but it didn't.

4

21.7 Legacy Series / Re: LDAPS not working anymore with 21.7.4

« on: November 10, 2021, 02:22:00 pm »

Old phones are old and there is a reason they should be dead and not working, especially when it comes to certificates.

5

21.7 Legacy Series / Re: LDAPS not working anymore with 21.7.4

« on: November 10, 2021, 10:03:56 am »

Thanks. That worked.
I didn't read it in the changelogs, is it new or was it changed?

6

21.7 Legacy Series / LDAPS not working anymore with 21.7.4

« on: November 10, 2021, 09:51:42 am »

I've installed 21.7.4 update yesterday and the OpenVPN clients with AD authentication cannot connect anymore.
I have installed the certificates under System -> Trust -> Authorities and they are still valid.
When I use the internal tester, I get this error.

Code: [Select]

The following input errors were detected:

    Authentication failed.
    error: error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed (unable to get local issuer certificate)
    ldap_error: Can't contact LDAP server
I have our internal CA, intermediate CA and the DC certificates installed.
How can I fix it?

7

21.7 Legacy Series / Re: 32 character limit in firewall aliases. Can it be increased?

« on: July 23, 2021, 10:08:16 am »

Here is the link to the bugtracker
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=257270

The bug was closed because it cannot be changed.

8

General Discussion / Re: OpenVPN Server multiple encryption algorithms/ciphers

« on: April 16, 2021, 01:12:59 pm »

Thanks for the fix.
For the next time I will post it on GitHub

9

General Discussion / Re: Bug in HAProxy "Save & Test syntax"?

« on: April 06, 2021, 11:08:16 pm »

There is another error if you just press Save when HAProxy is disabled.
There is definitely something wrong.

10

General Discussion / Bug in HAProxy "Save & Test syntax"?

« on: April 04, 2021, 10:40:02 am »

I have configured some real server, backend pools, public services, conditions and rules.
If HAProxy is enabled, the "Save & Test syntax" is working.
If HAProxy is disabled, I get a lot of warnings.

Code: [Select]

HAProxy config contains critical errors
[NOTICE] 093/103813 (88702) : haproxy version is 2.2.11-c58c4e4
[ALERT] 093/103813 (88702) : parsing [/usr/local/etc/haproxy.conf.staging:9]: unknown keyword 'uid' out of section.
[ALERT] 093/103813 (88702) : parsing [/usr/local/etc/haproxy.conf.staging:10]: unknown keyword 'gid' out of section.
[ALERT] 093/103813 (88702) : parsing [/usr/local/etc/haproxy.conf.staging:11]: unknown keyword 'chroot' out of section.
[ALERT] 093/103813 (88702) : parsing [/usr/local/etc/haproxy.conf.staging:12]: unknown keyword 'daemon' out of section.
[ALERT] 093/103813 (88702) : parsing [/usr/local/etc/haproxy.conf.staging:13]: unknown keyword 'stats' out of section.
[ALERT] 093/103813 (88702) : parsing [/usr/local/etc/haproxy.conf.staging:14]: unknown keyword 'nbproc' out of section.
[ALERT] 093/103813 (88702) : parsing [/usr/local/etc/haproxy.conf.staging:15]: unknown keyword 'nbthread' out of section.
[ALERT] 093/103813 (88702) : parsing [/usr/local/etc/haproxy.conf.staging:16]: unknown keyword 'tune.ssl.default-dh-param' out of section.
[ALERT] 093/103813 (88702) : parsing [/usr/local/etc/haproxy.conf.staging:17]: unknown keyword 'spread-checks' out of section.
[ALERT] 093/103813 (88702) : parsing [/usr/local/etc/haproxy.conf.staging:18]: unknown keyword 'tune.chksize' out of section.
[ALERT] 093/103813 (88702) : parsing [/usr/local/etc/haproxy.conf.staging:19]: unknown keyword 'tune.bufsize' out of section.
[ALERT] 093/103813 (88702) : parsing [/usr/local/etc/haproxy.conf.staging:20]: unknown keyword 'tune.lua.maxmem' out of section.
[ALERT] 093/103813 (88702) : parsing [/usr/local/etc/haproxy.conf.staging:21]: unknown keyword 'log' out of section.
[ALERT] 093/103813 (88702) : Error(s) found in configuration file : /usr/local/etc/haproxy.conf.staging
[ALERT] 093/103813 (88702) : Fatal errors found in configuration.

This happens because the config is invalid when I disable HAProxy

Code: [Select]

#
# NOTE: HAProxy is currently DISABLED
#global
    uid                         80
    gid                         80

You can see that just global is commented.
Isn't there a better way to enable/disable HAProxy?
Doesn't sound like a good solution to need to enable HAProxy to test the syntax.

11

General Discussion / Re: OpenVPN Server multiple encryption algorithms/ciphers

« on: April 02, 2021, 10:29:38 pm »

The answer is easy, our employees are out the whole week at customers sites and they only allow standard ports at the firewall or we had long discussions with them to allow our ip/port for OpenVPN.
We don't want to start over again.

12

General Discussion / OpenVPN Server multiple encryption algorithms/ciphers

« on: April 02, 2021, 09:37:03 pm »

On the OpenVPN server settings, I can select ONE encryption algorithm.
Some years ago, I have select AES-256-CBC, but the current client logs a warning that this algorithm will be deprecated in the future.
Now I want to migrate slowly to a better algorithm AES-256-GCM as suggested by OpenVPN but I have a lot of users I cannot change immediately.
My idea is to select the new and the old algorithm so new and old configs can connect and in 6 months, I can turn off the old algorithm.
Since OpenVPN 2.4, this is possible, but I cannot do it in the GUI. Can you change that?
Is it possible to configure it on the command line?

13

20.7 Legacy Series / Re: Possible illegal Windows characters in backup file names for nextcloud

« on: June 15, 2020, 01:43:02 am »

You could use the fullwidth colon
https://www.compart.com/en/unicode/U+FF1A

I've tested it for windows and it works.
The only problem, nobody would ever know why it works when he doesn't compare the hex values

14

20.1 Legacy Series / AD auth LDAP with TLS and certificates question

« on: June 15, 2020, 01:15:46 am »

I've tried all the possible solutions I could find and nothing worked until I created one certificate per domain controller with the IP address in the common name.
Before, I had one certificate for all domain controllers with the different names in the subject alt name section.
Is this not supported?
Before I changed to a single certificate per DC, I always got this error in the logs.

Code: [Select]

opnsense: LDAP bind error [TLS: hostname does not match CN in peer certificate,Can't contact LDAP server]

15

19.7 Legacy Series / Re: LDAPS authentication server certificate issue with Azure AD

« on: May 17, 2020, 03:05:29 am »

Droppie391

Can you give me more details? I cannot get it to work.
Did you use IP addresses or domain names? FQDNs?
Do you have the domain names in the certificate in alternative names or directly as CN?